It's not an XSS/JS injection problem if you only allow people to add links. htmlentities() it, stick it in an href, and you're done.
The only risk is that people will use it to spam/phish/etc. and that should be handled with, at the very least, some sort of moderation mechanism. Blacklists are fine but you will never even get close to catching everything.